\relax 
\citation{utility}
\citation{nist:cloud_definition}
\citation{Chen:EECS-2010-5}
\@writefile{toc}{\contentsline {section}{\numberline {1}Introduction}{1}}
\citation{aryan-cloudcom}
\@writefile{lof}{\contentsline {figure}{\numberline {1}{\ignorespaces Lab setup}}{2}}
\newlabel{figure:LabDetail}{{1}{2}}
\@writefile{toc}{\contentsline {subsection}{\numberline {1.1}A Brief Primer on OpenStack}{2}}
\citation{openstack:cactus}
\citation{openstack-wiki:ArchitecturalOverview}
\citation{openstack-wiki:MultiClusterZones}
\@writefile{lof}{\contentsline {figure}{\numberline {2}{\ignorespaces Nova components and their interaction\cite  {openstack-wiki:ArchitecturalOverview} }}{4}}
\newlabel{figure:nova-overview2}{{2}{4}}
\@writefile{lof}{\contentsline {figure}{\numberline {3}{\ignorespaces OpenStack Compute basic architecture \cite  {openstack-wiki:MultiClusterZones}}}{4}}
\newlabel{figure:NovaComponents_Arch}{{3}{4}}
\citation{SP800-61Rev.1}
\citation{TaheriMonfared:monitoring}
\@writefile{toc}{\contentsline {subsection}{\numberline {1.2}Article structure}{5}}
\@writefile{toc}{\contentsline {section}{\numberline {2}Incident handling}{5}}
\newlabel{section:incident handling}{{2}{5}}
\@writefile{toc}{\contentsline {subsection}{\numberline {2.1}Detection and Analysis of the compromised component}{5}}
\@writefile{toc}{\contentsline {subsubsection}{\numberline {2.1.1}Cloud providers' requirements}{5}}
\citation{amazon:vulnerability-reporting}
\@writefile{toc}{\contentsline {subsubsection}{\numberline {2.1.2}Cloud consumers' requirements}{7}}
\@writefile{toc}{\contentsline {subsection}{\numberline {2.2}Case studies}{7}}
\newlabel{subsection:case studies}{{2.2}{7}}
\citation{aryanthesis}
\@writefile{lof}{\contentsline {figure}{\numberline {4}{\ignorespaces Case One - The nova-compute service in the OpenStack-4 host is compromised.}}{8}}
\newlabel{figure:LabAbstract-Case1}{{4}{8}}
\@writefile{lot}{\contentsline {table}{\numberline {1}{\ignorespaces Case One - A compromised compute worker scenario specifications}}{8}}
\newlabel{table:case one}{{1}{8}}
\@writefile{toc}{\contentsline {subsubsection}{\numberline {2.2.1}Case One: A Compromised Compute Worker}{8}}
\newlabel{containment:malicious code:isolating host}{{2.2.1}{9}}
\newlabel{containment:malicious code:blocking host}{{2.2.1}{9}}
\@writefile{lof}{\contentsline {figure}{\numberline {5}{\ignorespaces Blocking compromised compute communication. Red lightening represent disconnected communications.}}{10}}
\newlabel{figure:ComputeContainment}{{5}{10}}
\@writefile{lof}{\contentsline {figure}{\numberline {6}{\ignorespaces OpenStack Nova service dependencies.}}{11}}
\newlabel{figure:ServiceDependencies}{{6}{11}}
\newlabel{containment:malicious code:disabling services}{{2.2.1}{11}}
\@writefile{lof}{\contentsline {figure}{\numberline {7}{\ignorespaces Stopping the compute service at the compromised host.}}{12}}
\newlabel{figure:ComputeContainment2}{{7}{12}}
\@writefile{lof}{\contentsline {figure}{\numberline {8}{\ignorespaces Discarding messages to/from the compromised node.}}{12}}
\newlabel{figure:ComputeContainment3}{{8}{12}}
\@writefile{lot}{\contentsline {table}{\numberline {2}{\ignorespaces Containment Strategies}}{12}}
\newlabel{table:Containment Strategies}{{2}{12}}
\@writefile{lot}{\contentsline {table}{\numberline {3}{\ignorespaces Case Two - A bogus component scenario specifications}}{15}}
\newlabel{table:case two}{{3}{15}}
\@writefile{lof}{\contentsline {figure}{\numberline {9}{\ignorespaces Case Two - A physical bogus compute worker node is added to the infrastructure.}}{15}}
\newlabel{figure:LabAbstract-Case2}{{9}{15}}
\@writefile{toc}{\contentsline {subsubsection}{\numberline {2.2.2}Case Two: A bogus component}{15}}
\@writefile{lof}{\contentsline {figure}{\numberline {10}{\ignorespaces Case Two - A virtual bogus compute worker is added as a consumer's instance.}}{16}}
\newlabel{figure:LabAbstract-Case2-Instance}{{10}{16}}
\@writefile{toc}{\contentsline {section}{\numberline {3}Approaches for Containment and Recovery}{17}}
\newlabel{section:approaches}{{3}{17}}
\@writefile{toc}{\contentsline {subsection}{\numberline {3.1}Restriction, disinfection, and replication of infected cloud platform components}{17}}
\@writefile{toc}{\contentsline {subsubsection}{\numberline {3.1.1}Filtering in the messaging server (cloud controller)}{17}}
\newlabel{approach:msg_srv_filter}{{3.1.1}{17}}
\@writefile{toc}{\contentsline {paragraph}{Advantages}{17}}
\citation{4228359}
\citation{Jokela:2009:LLS:1592568.1592592}
\citation{Broder02networkapplications}
\citation{Jokela:2009:LLS:1592568.1592592}
\@writefile{toc}{\contentsline {paragraph}{Disadvantages}{18}}
\citation{rabbitmq:admin-guide}
\citation{amqp0-8}
\citation{rabbitmq:introduction}
\@writefile{lof}{\contentsline {figure}{\numberline {11}{\ignorespaces RabbitMQ Connections}}{19}}
\newlabel{figure:RabbitMQConnections}{{11}{19}}
\@writefile{toc}{\contentsline {paragraph}{Realization}{19}}
\citation{rabbitmq:introduction}
\@writefile{lof}{\contentsline {figure}{\numberline {12}{\ignorespaces Unbinding a queue from an exchange using the Queues Management page of RabbitMQ}}{20}}
\newlabel{figure:RabbitMQUnbindingExchange}{{12}{20}}
\@writefile{lof}{\contentsline {figure}{\numberline {13}{\ignorespaces Overview of RabbitMQ messaging server and applicable containment approaches. }}{21}}
\newlabel{figure:RabbitMQInternal}{{13}{21}}
\@writefile{toc}{\contentsline {subsubsection}{\numberline {3.1.2}Filtering in each component}{21}}
\newlabel{approach:component_filter}{{3.1.2}{21}}
\@writefile{toc}{\contentsline {paragraph}{Advantages}{21}}
\@writefile{toc}{\contentsline {paragraph}{Disadvantages}{22}}
\@writefile{toc}{\contentsline {paragraph}{Realization}{22}}
\@writefile{toc}{\contentsline {subsubsection}{\numberline {3.1.3}Disabling services}{23}}
\newlabel{approach:disabling_service}{{3.1.3}{23}}
\@writefile{toc}{\contentsline {paragraph}{Disabling an infected service}{23}}
\@writefile{toc}{\contentsline {paragraph}{Disabling a communicator service}{24}}
\@writefile{toc}{\contentsline {subsubsection}{\numberline {3.1.4}Replicating services}{24}}
\newlabel{approach:replicate_service}{{3.1.4}{24}}
\citation{5678134}
\citation{puppet}
\@writefile{toc}{\contentsline {subsubsection}{\numberline {3.1.5}Disinfecting infected components}{25}}
\newlabel{approach:disinfecting_component}{{3.1.5}{25}}
\@writefile{toc}{\contentsline {subsection}{\numberline {3.2}Isolation, disinfection, and migration of instances}{26}}
\@writefile{toc}{\contentsline {subsubsection}{\numberline {3.2.1}Removing instances from the project VLAN}{26}}
\newlabel{approach:removing_vlan}{{3.2.1}{26}}
\citation{xenaccess}
\citation{libvirt}
\citation{garfinkel:vmi}
\@writefile{toc}{\contentsline {subsubsection}{\numberline {3.2.2}Disabling live migration}{27}}
\newlabel{approach:disble_live_migration}{{3.2.2}{27}}
\@writefile{toc}{\contentsline {subsubsection}{\numberline {3.2.3}Quarantining instances}{27}}
\newlabel{approach:quarantine}{{3.2.3}{27}}
\citation{vTPM}
\citation{Santos09towardstrusted}
\citation{TVDc}
\@writefile{toc}{\contentsline {subsubsection}{\numberline {3.2.4}Recovering an instance}{28}}
\newlabel{approach:disinfect_instance}{{3.2.4}{28}}
\@writefile{toc}{\contentsline {subsubsection}{\numberline {3.2.5}Migrating instances}{29}}
\newlabel{approach:migrate_instance}{{3.2.5}{29}}
\@writefile{toc}{\contentsline {subsection}{\numberline {3.3}Policies}{29}}
\newlabel{approaches:policies}{{3.3}{29}}
\@writefile{toc}{\contentsline {subsubsection}{\numberline {3.3.1}Component authentication}{29}}
\newlabel{approach:component_auth}{{3.3.1}{29}}
\citation{rabbitmq:ssl}
\citation{rabbitmq:auth}
\@writefile{lof}{\contentsline {figure}{\numberline {14}{\ignorespaces A simple Finite State Machine (FSM) model for trust states of a component.}}{30}}
\newlabel{figure:TrustMarkov1}{{14}{30}}
\@writefile{toc}{\contentsline {subsubsection}{\numberline {3.3.2}No new worker policy}{30}}
\newlabel{approach:no_new_worker}{{3.3.2}{30}}
\@writefile{toc}{\contentsline {subsubsection}{\numberline {3.3.3}Trust levels and timeouts}{30}}
\newlabel{approach:trust_levels}{{3.3.3}{30}}
\newlabel{approach:manual_confirmation}{{3.3.3}{30}}
\@writefile{lof}{\contentsline {figure}{\numberline {15}{\ignorespaces A simple FSM model for transitions between different trust levels of a component.}}{31}}
\newlabel{figure:TrustMarkov2}{{15}{31}}
\@writefile{toc}{\contentsline {subsection}{\numberline {3.4}Comparison}{31}}
\newlabel{subsection:comparison}{{3.4}{31}}
\citation{aryanthesis}
\citation{welsh:cloud-research}
\citation{opencirrus}
\citation{google:Exacycle}
\citation{aws:grants}
\@writefile{toc}{\contentsline {section}{\numberline {4}Conclusion}{32}}
\newlabel{section:conclusion}{{4}{32}}
\newlabel{RF1}{33}
\@writefile{lot}{\contentsline {table}{\numberline {4}{\ignorespaces Comparison (RS: Responsible stakeholder, CP: Cloud Provider, CC: Cloud Consumer, P: Proactive, R: Reactive)}}{33}}
\newlabel{table:comparison}{{4}{33}}
\bibstyle{bmc_article}
\bibdata{bmc_article}
\bibcite{utility}{1}
\bibcite{nist:cloud_definition}{2}
\bibcite{Chen:EECS-2010-5}{3}
\bibcite{aryan-cloudcom}{4}
\bibcite{openstack:cactus}{5}
\bibcite{openstack-wiki:ArchitecturalOverview}{6}
\bibcite{openstack-wiki:MultiClusterZones}{7}
\bibcite{SP800-61Rev.1}{8}
\bibcite{TaheriMonfared:monitoring}{9}
\bibcite{amazon:vulnerability-reporting}{10}
\bibcite{aryanthesis}{11}
\bibcite{4228359}{12}
\bibcite{Jokela:2009:LLS:1592568.1592592}{13}
\bibcite{Broder02networkapplications}{14}
\bibcite{rabbitmq:admin-guide}{15}
\bibcite{amqp0-8}{16}
\bibcite{rabbitmq:introduction}{17}
\bibcite{5678134}{18}
\bibcite{puppet}{19}
\bibcite{xenaccess}{20}
\bibcite{libvirt}{21}
\bibcite{garfinkel:vmi}{22}
\bibcite{vTPM}{23}
\bibcite{Santos09towardstrusted}{24}
\bibcite{TVDc}{25}
\bibcite{rabbitmq:ssl}{26}
\bibcite{rabbitmq:auth}{27}
\bibcite{welsh:cloud-research}{28}
\bibcite{opencirrus}{29}
\bibcite{google:Exacycle}{30}
\bibcite{aws:grants}{31}
